British Airways hack is worse than originally thought

Last month, British Airways announced that the customer data and details of some 380,000 card payments had been stolen from its network by hackers between August 21 and September 5 2018.

Now, in an update posted on its website, British Airways says it has discovered that more of its customers have been affected - with potentially impacted individuals being those who made reward bookings between April 21 and July 28, 2018, and who used a payment card.

“Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.”

“The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV.”

The numbers are here are a little confusing, so let me try to clarify things:

British Airways initially said 380,000 payment card details were accessed by hackers in late August/early September. They now say they are able to reduce that figure to 244,000. That’s obviously an improvement.

However, the airline’s investigation has also uncovered that hackers were stealing information earlier in the year, with details of an additional 77,000+108,000 payment cards.

In total, I make that 429,000 payment card details that may have been stolen - and an additional 185,000 customers who need to be notified.

Like Cathay Pacific, which announced a much larger data breach this week, British Airways is keen to underline that it has seen no evidence that stolen information has been exploited by criminals.

This is a reassuring paragraph that hacked companies often emphasise in their communications to concerned customers, but you should be cautious about feeling too reassured.

An absence of evidence is not evidence of absence – if some of the stolen data has been misused by fraudsters and spammers, it wouldn’t necessarily have been linked back to this breach.

Put simply, there’s no reason to believe that British Airways would have any visibility on whether data being misused by criminals - so we shouldn’t be surprised to hear that they’ve seen no verified cases of fraud as a result of the hack.

At the time of the original British Airways breach announcement in September we discussed the case on this episode of the “Smashing Security” podcast. Give it a listen:

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.